Security Policy
Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0
1. Introduction
Voice AI Portal (“we,” “us,” or “our”) is a white-label Software-as-a-Service (SaaS) analytics platform operated by ALIM Ltd (Company Number 14528810), registered in England and Wales. We aggregate call analytics and ROI metrics from voice AI platforms (Retell AI, VAPI, ElevenLabs) into branded client workspaces for AI agencies.
This Security Policy outlines our comprehensive security framework, demonstrating enterprise-grade security practices aligned with SOC 2 Type II principles, ISO 27001 standards, and UK GDPR Article 32 security requirements. We operate under a shared responsibility model clearly defining security obligations across infrastructure providers, voice AI integrations, and our platform.
Security Commitment: Protecting customer data and platform integrity is our highest priority.
2. Company Certifications & Compliance
Current Certifications & Compliance:
•SOC 2 Type II (Trust Services Criteria: Security, Availability, Confidentiality, Privacy, Processing Integrity)
• ISO 27001 Information Security Management (planned 2026)
• UK GDPR Article 32 Security of Processing
• PCI DSS (via Stripe payment processor)
• EU Cloud Code of Conduct (GCP, Supabase compliance)
Independent Audits:
- Annual third-party SOC 2 Type II audits
- Quarterly internal security assessments
- Bi-annual penetration testing by certified providers
- Monthly vulnerability scanning
Audit Reports: Available to enterprise customers under NDA.
3. Shared Responsibility Model
Voice AI Portal operates under a three-tier shared responsibility model:
| Security Domain | Infrastructure Provider | Voice AI Provider | Voice AI Portal |
|---|---|---|---|
| Infrastructure | GCP physical security, VPC, hypervisor | N/A | Service configuration, IAM, network security |
| Voice Processing | Underlying compute/storage | Call recording, AI models, telephony | API integration, metadata only |
| Application | Platform services (GCP, Supabase) | Voice API endpoints | App security, auth, RBAC |
| Data | Storage encryption | Voice data security | Customer metadata, billing |
| Compliance | Infrastructure certifications | Voice-specific compliance | Platform GDPR/SOC 2 |
3.1 Infrastructure Layer (GCP + Supabase)
Google Cloud Platform (europe-west1, Belgium) and Supabase (eu-central-1, Germany) provide:
•Physical data center security
• Network infrastructure & DDoS protection
• Hypervisor & OS patching
• Infrastructure compliance (SOC 2, ISO 27001)
3.2 Voice AI Provider Layer
Retell AI, VAPI, ElevenLabs are responsible for:
•Voice recording storage & security
• AI model security & privacy
• Telephony infrastructure
• Real-time communication encryption
• Voice-specific compliance (TCPA, consent)
Voice AI Portal Role: Metadata retrieval only (no voice storage).
3.3 Voice AI Portal Application Layer
We maintain responsibility for:
•Application security & code integrity
• Supabase authentication & RBAC
• Multi-tenant isolation
• White-label domain security
• API security & integrations
4. Voice AI Portal Security Framework
4.1 Secure Development Lifecycle (SDL)
Code Security:
•OWASP Top 10 secure coding standards
• Snyk dependency vulnerability scanning (weekly)
• GitHub Advanced Security code scanning
• Pre-commit security hooks
• Mandatory 2-person code review
CI/CD Pipeline:
•Automated security testing (SAST/DAST)
• Container image vulnerability scanning
• Infrastructure as Code (IaC) security validation
• Signed container images & commits
• Immutable deployments
4.2 Authentication & Authorization
Supabase Authentication (eu-central-1):
•Bcrypt password hashing (per-user salt)
• JWT tokens with 24h expiry + refresh
• Row Level Security (RLS) tenant isolation
• Rate limiting (5 failed logins → lockout)
• Magic link authentication (time-limited)
Role-Based Access Control (RBAC):
•6 permission levels: Super Admin, Agency Admin, Workspace Admin, Workspace Editor, Workspace Viewer, Guest
• Granular permissions per resource type
• Just-in-time privilege elevation
• Audit trail for all permission changes
Multi-Factor Authentication (MFA):
•Required for all Admin accounts
• Optional for Workspace users
• TOTP + backup codes
• Hardware security key support (YubiKey)
4.3 Data Protection
Encryption Standards:
•Data at Rest: AES-256 (Supabase + GCP)
• Data in Transit: TLS 1.3 (HSTS enabled)
• Database: Supabase RLS + GCP Cloud SQL encryption
• Key Management: GCP KMS + Supabase native
• White-label SSL: Cloudflare automatic provisioning
Data Classification:
•Public: Marketing content, public docs
• Internal: Operational data, analytics
• Confidential: Customer metadata, billing
• Restricted: Authentication credentials, API keys
Data Minimization: Only collect necessary metadata (no voice content storage).
4.4 Network & Infrastructure Security
Google Cloud Platform (europe-west1):
•VPC with private subnets
• Cloud Armor WAF + DDoS protection
• Cloud Load Balancing with health checks
Cloudflare Security:
•OWASP Top 10 WAF ruleset
• DDoS mitigation (100+ Gbps capacity)
• Bot Management (95%+ accuracy)
• Rate limiting (API abuse protection)
• Managed Challenge for suspicious traffic
4.5 Multi-Tenant & White-Label Security
Tenant Isolation:
•Supabase RLS policies (database-level)
• Application-level workspace ID enforcement
• Separate Cloud SQL schemas per enterprise client
• Logical network segmentation (VPC peering)
• Audit logs isolated per tenant
White-Label Security:
•Cloudflare SSL for custom domains (auto-renewal)
• CSP headers per tenant (content isolation)
• Custom domain validation (DNS ownership)
• Per-domain security analytics
5. Monitoring & Incident Response
5.1 24/7 Security Monitoring
Security Operations Center (SOC):
•GCP Security Command Center (unified view)
• Cloudflare Security Analytics (real-time)
• Supabase audit logs (authentication)
• GCP Cloud Logging (centralized)
Threat Detection:
• Cloudflare Threat Score (0-10 risk rating)
• Anomaly detection (login patterns, API usage)
• File integrity monitoring
• Configuration drift detection
5.2 Incident Response Procedures
IR Playbooks (SOC 2 compliant):
1.Detection → Automated alerting (PagerDuty)
2. Triage → Severity classification (P1-P4)
3. Containment → Isolate affected systems
4. Eradication → Remove root cause
5. Recovery → Restore from backups
6. Lessons Learned → Post-mortem + playbook update
Notification SLAs:
•P1 (Critical): ICO notification <72h, Clients <24h
• P2 (High): Clients <48h
• P3 (Medium): Clients <5 days
• P4 (Low): Internal only
6. Vulnerability Management
Vulnerability Scanning:
• Weekly: Snyk (dependencies), GCP Security Scanner
• Monthly: Qualys external scanning
• Quarterly: Full pen test (independent provider)
• Daily: Cloudflare threat intelligence
Patch Management:
• Critical: <24h
• High: <7 days
• Medium: <30 days
• Low: <90 days
Responsible Disclosure: Bug bounty program via HackerOne (private).
7. Third-Party Risk Management
7.1 Sub-Processor Security Requirements
All third-party providers must meet:
• SOC 2 Type II or ISO 27001
• Executed DPA (Article 28 UK GDPR)
• Annual security audit reports
• 24h breach notification SLA
• Right to audit (with notice)
Current Providers: Supabase, GCP, Cloudflare, Resend, Stripe ✓
7.2 Voice AI Provider Security
Client Responsibility (Retell AI, VAPI, ElevenLabs):
• Execute DPA directly with providers
• Configure recording consent mechanisms
• Monitor provider security posture
• Validate voice data compliance
Voice AI Portal Role: Secure API integration only.
8. Business Continuity & Disaster Recovery
Backup Strategy:
• Daily automated backups (Supabase + GCP)
• 7-day retention + 30-day point-in-time recovery
• Cross-region replication (europe-west4)
• Quarterly restore testing
Recovery Objectives:
• RTO (Recovery Time): 4 hours
• RPO (Recovery Point): 1 hour
• Multi-AZ high availability (99.95% uptime SLA)
9. Compliance Framework
Regulatory Compliance:
• UK GDPR: Article 32 security, Article 28 processing
• EU GDPR: SCCs for US transfers
• PCI DSS: Via Stripe (Level 1)
• Digital Markets Act: Interoperability standards
Framework Alignment:
• NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, Recover
• CIS Controls v8: Implementation Groups 1-3
• ISO 27001: Annex A controls (planned certification)
10. Employee Security Program
Onboarding:
• Background checks (UK DBS where required)
• Security awareness training (mandatory)
• Signed confidentiality agreements
Access Controls:
• Least privilege principle
• Quarterly access reviews
• Just-in-time privileged access
• Immediate offboarding (<1h)
Security Culture:
• Monthly phishing simulations (95%+ pass rate)
• Annual security certification training
• Security champions program
11. Security Governance
Security Committee: Monthly meetings (CTO, DPO, engineering leads)
Risk Management:
• Quarterly risk assessments
• Annual third-party risk reviews
• Continuous threat modeling
Metrics Dashboard:
• MTTD (Mean Time to Detect): <15 min
• MTTR (Mean Time to Respond): <4h
• Vulnerability backlog: <30 days
• Patch compliance: >99%
12. Security Contact & Reporting
Security Officer: ALIM Ltd Security Team
Email: [email protected]
Emergencies: +44 7725999798 (24/7)
Vulnerability Reporting:
1. Email: [email protected]
2. Subject: "Security Vulnerability Report - [Brief Description]"
3. Include: Steps to reproduce, impact assessment, affected component
4. Response SLA: 24 hours
5. No unauthorized data access/modification
Responsible Disclosure Program: Available via HackerOne (private program).
Data Breach Reporting:
ICO notification: [email protected] (<72h)
Client notification: [email protected] (<24h P1)
13. Policy Review & Updates
Review Cadence:
• Quarterly: Technical controls
• Semi-annual: Third-party risk
• Annual: Full policy review + audit
• Ad-hoc: Material incidents/changes
Version Control:
• Document maintained in GitHub Enterprise
• Signed releases with change log
• Client notification for material changes
Next Review: April 6, 2026
Document Control:
Owner: ALIM Ltd Security Team
Approval: CTO + DPO
Classification: Public